| AUTH-001 |
Authentication
|
Enforce Phishing-resistant MFA (FIDO2/CBA) for all administrative accounts, blocking SMS/voice. |
A.5.17
A.8.5
PR.AA-03
6.4
+4
|
4
|
|
| AUTH-002 |
Authentication
|
Enforce MFA for all users with Number Matching to mitigate MFA fatigue. |
A.8.5
PR.AA-03
6.3
Art. 46
+3
|
1
|
|
| AUTH-003 |
Authentication
|
Configure Smart Lockout: block the threat actor (IP), not the user account (AD), after 10 failed attempts. |
A.8.5
A.8.3
PR.AA-01
PR.AA-04
+4
|
0
|
|
| AUTH-004 |
Authentication
|
Real-time checking of banned passwords against global (pwned) lists and company dictionaries. |
A.5.17
PR.AA-01
5.2
Art. 6
+3
|
0
|
|
| AUTH-005 |
Authentication
|
Block interactive login and rotate Service Account secrets every 90 days (or use Managed Identity). |
A.5.16
A.8.2
PR.AA-02
4.7
+6
|
1
|
|
| AUTH-006 |
Authentication
|
Enforce re-authentication for critical actions (e.g., viewing sensitive data) regardless of token. |
A.8.5
PR.AA-04
16.11
Art. 37
+2
|
0
|
|
| AUTH-007 |
Authentication
|
Disable legacy protocols (Basic Auth: POP3, IMAP, SMTP) globally. |
A.8.5
A.5.15
PR.AA-05
4.8
+3
|
1
|
|
| JML-001 |
Identity Lifecycle (JML)
|
Automate 'Birthright' provisioning via HR, creating accounts disabled until the start date. |
A.5.16
A.5.18
PR.AA-01
PR.AA-05
+7
|
0
|
|
| JML-002 |
Identity Lifecycle (JML)
|
Review trigger on transfers: a change of role in HR initiates access recertification. |
A.5.18
A.8.4
PR.AA-05
6.5
+5
|
2
|
|
| JML-003 |
Identity Lifecycle (JML)
|
Automate exit 'Kill Switch': Blocking and revocation of tokens in <15 min after HR termination. |
A.5.16
A.8.5
PR.AA-01
6.5
+5
|
1
|
|
| JML-004 |
Identity Lifecycle (JML)
|
Quarterly Access Certification campaigns with automatic revocation if there is no response. |
A.5.18
PR.AA-01
6.8
Art. 5
+4
|
1
|
|
| JML-005 |
Identity Lifecycle (JML)
|
Detection of orphan accounts (Reconciliation): Compare AD vs HR weekly to find ownerless accounts. |
A.5.16
ID.AM-01
5.3
Art. 37
+3
|
1
|
|
| JML-006 |
Identity Lifecycle (JML)
|
Strict expiration (TTL) for guest (B2B) accounts, requiring sponsor renewal. |
A.5.19
A.5.21
ID.RA-03
6.7
+3
|
0
|
|
| MON-001 |
Monitoring (MON)
|
Centralize Audit/Sign-in Logs in a SIEM. Retention: 90 days (hot) / 365 days (cold). |
A.8.15
A.5.33
DE.AE-02
8.2
+6
|
2
|
|
| MON-002 |
Monitoring (MON)
|
Automatic blocking based on Risk (User/Sign-in Risk) for high-risk events. |
A.8.16
A.8.5
DE.AE-06
5.2
+4
|
2
|
|
| MON-003 |
Monitoring (MON)
|
Alert on unverified illicit or high-privilege OAuth app consents. |
A.8.23
A.5.23
DE.CM-06
13.6
+5
|
1
|
|
| MON-004 |
Monitoring (MON)
|
P1 alerts for changes to Tier 0 groups (Global/Domain Admins) with out-of-band notification. |
A.8.2
A.6.8
DE.AE-04
5.4
+4
|
1
|
|
| MON-005 |
Monitoring (MON)
|
Monitor anomalies in Service Principals (read volume, new IPs, atypical hours). |
A.8.16
A.5.2
DE.AE-07
6.6
+4
|
1
|
|
| MON-006 |
Monitoring (MON)
|
User feedback ('Not me') in MFA generates an immediate security incident in the SOC. |
A.6.3
A.6.8
DE.DP-04
14.2
+4
|
0
|
|
| PAM-001 |
Privileged Access (PAM)
|
Eliminate permanent privileges (Zero Standing Privileges). Admin access only Just-In-Time and temporary. |
A.8.2
A.5.18
PR.AA-05
5.4
+5
|
2
|
|
| PAM-002 |
Privileged Access (PAM)
|
Separate accounts: adm-user (no email/web) for management and user for daily use. |
A.8.2
PR.AA-05
5.4
Art. 46
+4
|
2
|
|
| PAM-003 |
Privileged Access (PAM)
|
Remove local administrator account and use LAPS for unique, per-workstation rotated passwords. |
A.8.1
A.8.2
PR.AA-01
5.5
+3
|
1
|
|
| PAM-004 |
Privileged Access (PAM)
|
Implement a Tiered Model (Tiering/Red Forest): Tier 0 admins never log on to Tier 1/2. |
A.8.12
A.5.15
PR.AC-03
5.4
+4
|
2
|
|
| PAM-005 |
Privileged Access (PAM)
|
2 monitored Emergency (Break Glass) accounts, cloud-only, excluded from MFA and with a long password stored in a vault. |
A.5.2
A.8.2
ID.RA-03
4.3
+4
|
0
|
|
| PAM-006 |
Privileged Access (PAM)
|
Require dedicated Privileged Access Workstations (PAW) to access management consoles (Azure/AWS). |
A.8.1
A.8.11
PR.AA-02
4.2
+3
|
0
|
|